1. Field of the Invention
The present invention relates to an improved data processing system and, in particular, to a method and apparatus for multicomputer data transferring. Still more particularly, the present invention provides a method and apparatus for multicomputer communication using cryptography.
2. Description of Related Art
Web-based and Internet-based applications have become so commonplace that when one learns of a new product or service, one assumes that information about the product or service can be found on the World Wide Web and that, if appropriate, the product or service will incorporate Internet functionality into the product or service. Many corporations have employed proprietary data services for many years, but it is now commonplace for individuals and small enterprises to have access to digital communication services that operate through the Internet, which has caused the amount of electronic communication on the Internet to grow rapidly.
One of the factors influencing the growth of the Internet is the adherence to open standards for much of the Internet infrastructure. Individuals, public institutions, and commercial enterprises alike are able to introduce new content, products, and services that are quickly integrated into the digital infrastructure of the Internet because of their ability to exploit common knowledge of open standards.
Concerns about the integrity and privacy of electronic communication have also grown with adoption of Internet-based services. Various encryption and authentication technologies have been developed to protect electronic communication. For example, an open standard promulgated for protecting electronic communication is the X.509 standard for digital certificates.
An X.509 digital certificate is an International Telecommunications Union (ITU) standard that has been adopted by the Internet Engineering Task Force (IETF) body. It cryptographically binds the certificate holder, presumably identified by the subject name within the certificate, with the certificate holder's public cryptographic key. This cryptographic binding is based on the involvement of a trusted entity in the Public Key Infrastructure (PKI) called a “certificate authority”. As a result, a strong and trusted association between the certificate holder and its public key can become public information yet remain tamper-proof and reliable. An important aspect of this reliability is a digital signature that the certificate authority stamps on a certificate before it is released for use. Subsequently, whenever the certificate is presented to a system for use of a service, its signature is verified before the subject holder is authenticated. After the authentication process is successfully completed, the certificate holder may be provided access to certain information, services, or controlled resources, i.e. the certificate holder may be authorized to access certain systems.
Although PKI-based technology provides robust standards for secure communication, there is no known technique for performing authority delegation based on public/private cryptographic keys and digital certificate technology. Impersonation or authority delegation is a common technique that is used in security systems for enabling a user to allow an entity to temporarily perform some type of operation on behalf of the user upon a computational resource that the user is authorized to access. For example, Kerberos is an authentication system that performs trusted third-party authentication services by using secret-key cryptography. Kerberos provides support for impersonation by allowing users to forward their credentials, e.g., forwardable Kerberos ticket or proxiable Kerberos ticket, to another entity.
Given the usefulness of authority delegation or impersonation, the increasing usefulness of PKI-based solutions, and the lack of a known mechanism for performing PKI-based delegation, it would be advantageous to have a method and system for performing a PKI-based delegation process.